-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
create self-signed certificates for local domains #183
Comments
Hi @jkleinlercher The following steps need to be done:
kind: Shoot
...
spec:
extensions:
- type: shoot-cert-service
providerConfig:
apiVersion: service.cert.extensions.gardener.cloud/v1alpha1
kind: CertConfig
shootIssuers:
enabled: true # if true, allows to specify issuers in the shoot cluster
...
openssl req \
-x509 -days 365 -newkey rsa:2048 -sha256 -nodes \
-keyout key.pem -out cert.pem \
-subj '/CN=host.example.com'
kubectl create secret tls ca-secret --cert=cert.pem --key=key.pem
apiVersion: cert.gardener.cloud/v1alpha1
kind: Issuer
metadata:
name: issuer-ca
namespace: default
spec:
ca:
privateKeySecretRef:
name: ca-secret
namespace: default
apiVersion: cert.gardener.cloud/v1alpha1
kind: Certificate
metadata:
name: cert-simple
namespace: default
spec:
commonName: cert1.mydomain.com
dnsNames:
- cert1-foo.mydomain.com
- cert1-bar.mydomain.com
# if issuer is not specified, the default issuer is used
issuerRef:
name: issuer-ca
namespace: default # must be specified when issuer runs in shoot! |
Hey @RaphaelVogel thank you so much for this detailed explanation. This helps a lot! On the other hand, it also shows me that it is much more complicated than in cert-manager, where I can create a selfsigned-issuer just with this without creating any ca-secret.
I fully understand the spec extension in the shoot spec. However, creating a certificate and a secret brings me in the situation that I need to manage this secret somehow. Is there a easier way like "spec.selfSigned" in cert-manager planned? https://cert-manager.io/docs/configuration/selfsigned/ |
@jkleinlercher, We are working on an solution which is comparable to the one provided by the |
The Gardener project currently lacks enough active contributors to adequately respond to all issues.
You can:
/lifecycle stale |
/remove-lifecycle stale |
What would you like to be added:
Gardener Cert-Manager Issuer should be able to create self-signed certificates.
Why is this needed:
We use the project Kargo and there in https://github.com/akuity/kargo/blob/main/charts/kargo/templates/webhooks-server/cert.yaml
a certificate for dnsName "kargo-webhooks-server.{{ .Release.Namespace }}.svc" is created, to enable a TLS connection between the Kubernetes-API server and this admissioncontroller webhook.
The Project normally creates its own issuer to create a selfSigned certificate: https://github.com/akuity/kargo/blob/main/charts/kargo/templates/common/cert-issuer.yaml
Look at .spec.selfSigned
So we do not want to install cert-manager but use the gardener cert-manager to create a certificate. However, I didn't find a way to create self-signed certificates the way the cert-manager does.
Maybe someone can explain how to achieve this with the current features of gardener cert-management?
The text was updated successfully, but these errors were encountered: